COMMON PITFALLS: COMPLYING WITH PERSONAL DATA PROTECTION LAW
In light of recent spate of data breaches affecting both private and public institutions, the Singapore government is tightening the reins on personal data protection. It is therefore important for organisations to plan ahead and prepare for the proposed amendments to Singapore’s Personal Data Protection Act (PDPA).
Some of the key amendments proposed in the Personal Data Protection (Amendment) Bill 2020 include:
- Mandatory data breach notification
Organisations are obliged to notify the Personal Data Protection Commission (PDPC) of significant data breaches as soon as practicable, in any event no later than 3 days after the day the organisation makes an assessment of a notifiable breach.
- Increased financial penalties
Organisations will face increased fines of up to 10% of annual turnover or S$1 million, whichever is higher.
- Expanded scope for deemed consent
Deemed consent will be expanded to include for contractual necessity, and where individuals have been notified of the purpose of the data processing and given an opportunity to opt-out but have not done so
- Data portability obligation
Organisations are required to transmit an individual’s personal data to another service provider at the request of the said individual
- Accountability obligations
Accountability practices will be introduced as a requirement for organisations in the processing, management and protection of personal data.
As complying with the PDPA is mandatory for any organisation, and the failure to comply carries financial penalties, and more importantly, potential reputational damage, it is useful to be reminded of the 5 common personal data protection pitfalls:
1.Failure to appoint a Data Protection Officer (DPO)
It is mandatory under the PDPA for all organisations, including sole proprietorships and non-profit organisations, to appoint a DPO.
A DPO’s role is essential to ensure compliance with the PDPA when developing and implementing policies and processes for the handling of personal data. They are the key personnel in charge of data protection matters in an organisation and should preferably be part of management or work closely with management, in order for them to carry out their role effectively.
Other important responsibilities of a DPO include fostering a data protection culture amongst employees, communicating data protection policies to stakeholders, managing personal data protection-related queries and complaints, and serving as a liaison with the PDPC. A DPO’s business contact details should be made publicly available.
Organisations should pay special attention to the resource requirements of a DPO. Although the PDPA merely requires a person to be appointed, the role of a DPO is complex and intensive. Appointing an employee as DPO and adding on to their existing duties without providing enough support or training will make it difficult for the DPO to carry out his or her role effectively. It is recommended for the DPO to be a dedicated responsibility or comprised of a team, wherein certain responsibilities are delegated to other officers.
For organisations choosing to outsource their DPO, it should be noted that the DPO function remains the management’s responsibility. An outsourced DPO should only cover operational aspects.
Cases involving Ferry services Horizon Fast Ferry and tuition agency Championtutor are stark reminders of the consequences of failing to appoint a DPO were fines were imposed[1]
2. Human error
Whilst human error can never be fully eliminated from any business process, organisations should mitigate the risk of such errors by implementing robust and practical procedures when handling and processing personal data.
Examples of missteps leading to PDPA breaches include:
- Sending documents containing sensitive personal data to the wrong recipients, via e-mail, fax or physical mail.[2]
- Sending incorrect attachments, including attachments with extra pages of sensitive information from a different individual due to double-sided scanning of recycled paper.[3]
- Keying in individual e-mail addresses in the ‘To’ field, rendering them visible to every recipient of the e-mail.[4]
To address the prevalent mistakes in the printing and e-mailing process, the PDPC has published a Guide for Printing Processes for Organisations to help organisations put in place measures in their printing and e-mailing processes to protect personal data. Organisations should carefully evaluate the data lifecycle and put in place stringent procedural safeguards to reduce the risk of data breaches.
Although human error may be tough to avoid, the importance of staff awareness training and inculcating a strong data protection culture within an organisation cannot be overemphasised. Regular training would ensure the active participation of all staff members to raise compliance standards with implemented data protection measures.
3. Fail to respond timely and appropriately to breaches
To-date, the largest data breach in Singapore is the Integrated Health Information Systems (IHiS) and SingHealth data breach, where the personal data of 1.5 million patients, including of the Prime Minister of Singapore, Mr. Lee Hsien Loong, was stolen by hackers.[5]
According to the report published by the PDPC, SingHealth had been too dependent on IHiS, and the SingHealth personnel who was in charge of the handling of security incidents was unfamiliar with the incident response process. As a result, the cyberattack went unreported to Singapore’s Cyber Security Agency and there was a delay in taking action to stop the cyberattacks, even when suspicious activity was correctly identified.
The PDPC determines the severity of non-compliance by taking into account the measures taken by an organisation to prevent the data breach and the manner in which an organisation responds to the breach. Therefore, organisations should do their utmost to ensure that any incidents involving personal data are handled swiftly and appropriately.
4. Weak IT security measures
A key contributing factor to the SingHealth incident was the lack of IT security measures to secure against unauthorised external access. Notably, the two-factor authentication for administrator access was not enforced.
Organisations are recommended to conduct vulnerability assessments regularly to identify security gaps. Firewalls and anti-virus software are only basic protections and may be insufficient to prevent sophisticated cyberattacks.
To reduce the risks of administrator accounts being compromised, two-factor authentication should be used.
Finally, password policy needs to be properly enforced and security monitoring should be employed where necessary. In the data breach involving KBox, the administrator account used a very weak password and the lack of security monitoring had allowed any staff member to remove data without the organisation’s knowledge.[6]
5. Lack of personal data protection policy
Organisations should evaluate if the data protection measures in place are sufficient to comply with the PDPA.
Compliance with the PDPA is an active and ongoing process. The documents should be reviewed and updated frequently. Organisations should consider integrating periodic training sessions and compliance checks into their regular processes.
The SingHealth data breach incident serves as a reminder that while organisations may outsource the DPO function, the primary responsibility for compliance with the PDPA still lies within the organisation itself. Organisations must exercise due diligence to ensure that third parties have the necessary expertise.
© Infinity Legal LLC
For PDF version of this article, please click here.
[1] Baharudin, H. (2019, August 7). 5 companies, including Genki Sushi and CDP, fined $117k for not securing personal data. The Straits Times. https://www.straitstimes.com
[2] Vijayan, K.C. (2019, June 11). Law firm fined $8,000 for data protection breaches. The Straits Times. https://www.straitstimes.com. See also: Tham, I. (2018, May 3). Privacy watchdog fines three insurers, highlights serious lapses in new advisory. The Straits Times. https://www.straitstimes.com
[3] Ibid.
[4] Menon, M. (2019, August 4). Ikea Singapore apologises after more than 400 e-mail IDs revealed to customers. The Straits Times. https://www.straitstimes.com
[5] Loh, V. & Lim, J. (2019, September 17). PDPC slams SingHealth for being ‘overly dependent’ on IHiS, metes out S$1 million in fines for data breach. TODAY Singapore. https://www.todayonline.com
[6]Neo, C.C. (2016, October 26). Slack security measures led to leak of K Box customers’ data. TODAY Singapore. https://www.todayonline.com
The content of this article is for general information purposes only, and does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances. Infinity Legal LLC does not accept any responsibility for any loss which may arise from reliance on information or materials published in this article. Copyright in this publication is owned by Infinity Legal LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval.